Appreciation goes out to everyone who contributed to the 6.0.0 release ! Since I have only tested 6.0 via the Showcase applications (it worked well for both), I will abstain my vote for now: +0.
One item to mention: I noticed that the 6.0.0 standalone artifacts seem to have md5 and sha1 hashfiles generated (instead of sha256, sha512). It looks like that was the case for 2.5.30 as well, but 2.5.29 has sha256 and sha512 hashfiles, so something may have changed in the build packaging flow since then. Regards, James. On 2022/06/02 08:05:23 Lukasz Lenart wrote: > The Apache Struts ver. 6.0.0 aka Apache Struts 2 ver. 2.6.0 test build > is available. With this release the following areas were addressed: > > Version change: > You can be surprised by the version change, previously we have been > using Struts 2.5.x versioning schema, but this was a bit misleading. > Struts 2 is a different framework than Struts 1 and its versioning is > supposed to start with 1.0.0, yet that never happened. With each > breaking changes release (like Struts 2.5), we had been only upgrading > the MINOR part of the versioning schema. To fix that problem as from > Struts 2 ver. 6.0.0 (aka Struts 2.6) we adopt a proper SemVer to > avoid such confusion. > > Internal Changes: > The framework requires Java 8 at runtime. Also Servlet API 3.1 capable > container is required. > OGNL expressions are limited to 256 characters by default. See WW-5179 > - Set 'struts.ognl.expressionMaxLength' to 256 by default RESOLVED and > docs for more details. > Yasser's PR has been merged which contains a fix to double evaluation > security vulnerability - it should solve any future attack vectors, > yet it can impact your application if you have been depending on > double evaluation. How to test: > Run all your app tests, you shouldn't see any WARN log like below: > Expression [so-and-so] isn't allowed by pattern [so-and-so]! See > Accepted / Excluded patterns at https://struts.apache.org/security/ > See if following components are still functioning correctly regarding > java-scripts: > - forms with client side validations > - doubleselect > - combobox > Check also StreamResults, AliasInterceptors and JasperReportResults if > they are still working as expected. > Support to access static methods via OGNL expressions has been > removed, use action instance methods instead. > > Bug > [WW-3534] - PrepareOperations.createActionContext does not detect > existing context correctly > [WW-3730] - action tag accepts only String arrays as parameters > [WW-4723] - s:url incompatible with JDK 1.5 > [WW-4742] - Problem with escape when the key from getText has no value > [WW-4865] - Struts s:checkbox conversion fails to List<Integer> > [WW-4866] - ASM 5.2 and Java 9 leads to IllegalArgumentException > [WW-4897] - KEYS, sigs and hashes should use https (SSL) > [WW-4902] - Struts 2 fails to init Dispatcher - Tomcat Embedded > [WW-4928] - Setting struts.devMode from system property not working as > described > [WW-4930] - SMI cannot be diasabled for action-packages found via the > convention-plugin > [WW-4941] - [jar_cache] Some jar_cache******.tmp files are generated > into a temporary directory(/tmp) during web service start > [WW-4943] - opensymphony.xwork2.util.LocalizedTextUtil can't get i18n > resources > [WW-4944] - Struts 2 REST Tiles integration issue > [WW-4945] - TagUtils#buildNamespace should throw an exception when > invocation is null > [WW-4946] - Strtus 2 spring integrations is failing - fails to init > Dispatcher - Tomcat Embedded > [WW-4948] - Struts 2.5.16 is creating jar_cache files in temp folder > [WW-4951] - MD5 and SHA1 should no longer be provided on download pages > [WW-4954] - xml-validation fails since struts 2.5.17 > [WW-4957] - Update struts version from 2.5.10 to 2.5.17. > LocalizedTextUtil class is removed and > GlobalLocalizedTextProvider&StrutsLocalizedTextProvider cannot be used > instead. > [WW-4958] - File upload fails from certain clients > [WW-4964] - Missing javascript in form-validate.ftl > [WW-4968] - combining s:set and s:property where the property > retrieved is null has unexpected results > [WW-4971] - s:include tag fails with truncated content in certain > circumstances > [WW-4974] - NullPointerException in > DefaultStaticContentLoader#findStaticResource > [WW-4977] - Fixing flaky test in Jsr168DispatcherTest and Jsr286DispatcherTest > [WW-4984] - Static files like css and js files in struts-core not > properly served > [WW-4986] - Race condition reloading config results in actions not found > [WW-4987] - Setting Struts2 <s:select> options Css Class > [WW-4991] - Not existing property in listValueKey throws exception > [WW-4997] - <s:debug> can't be resolved > [WW-4999] - Can't get OgnlValueStack log even if enable logMissingProperties > [WW-5002] - Package Level Properties in Global Results > [WW-5004] - No more calling of a static variable in Struts 2.8.20 available > [WW-5006] - NullPointerException in ProxyUtil class when accessing static > member > [WW-5009] - EmptyStackException in JSON plugin due to concurrency > [WW-5011] - Tiles bug when parsing file:// URLs including # as part of the URL > [WW-5013] - Accessing static variable via OGNL returns nothing > [WW-5022] - Struts 2.6 escaping behaviour change for s:a (anchor) tag > [WW-5024] - HttpParameters.Builder can wrap objects in two layers of > Parameters > [WW-5025] - Binding Integer Array upon form submission > [WW-5026] - Double-submit of TokenSessionStoreInterceptor broken since 2.5.16 > [WW-5027] - xerces tries to load resources from the internet > [WW-5028] - Dispatcher prints stacktraces directly to the console > [WW-5029] - The content allowed-methods tag of the XML configuration > is sometimes truncated > [WW-5030] - ClassNotFoundException - MockPortletResponse > [WW-5031] - OGNL: An illegal reflective access operation has occurred > [WW-5043] - trouble with Enum subclassing > [WW-5054] - Debugging Interceptor debug=browser not working > [WW-5058] - Invalid link in primer.html > [WW-5059] - primer.html link to spring-security is broken > [WW-5065] - AbstractMatcher adds values to the map passed into > replaceParameters > [WW-5072] - Minor bug in single file upload example of the Showcase > application > [WW-5074] - Multiple ASM jar conflict in 2.6 build > [WW-5076] - struts2 redirecting to https to http > [WW-5077] - Unable to set long pathname variables > [WW-5079] - Could not find StrutsPrepareAndExecuteFilter sometime in WAS > server > [WW-5081] - Struts default textarea template fails w3c validation > [WW-5082] - struts2 update from 2.1.6 to 2.3.37 > [WW-5086] - s:set with empty body > [WW-5087] - AliasInterceptor doesn't properly handle Parameter.Empty > [WW-5088] - Empty file upload gives wrong error message > [WW-5091] - Switched hash and PGP links > [WW-5093] - inconsistent scope for variables created with s:set and s:url > [WW-5095] - Junit plugin does not push ACTION_MAPPING into the context > resulting in NPE > [WW-5096] - Struts2 StaticParametersInterceptor's > addParametersToContext method is not working as expected. > [WW-5100] - incorrect content-type behavior after upgrading to struts 2.5.* > [WW-5102] - Download page issues > [WW-5104] - Please delete old releases > [WW-5106] - The call chains of ActionContext.getContext() in > ServletActionContext are dangerious > [WW-5107] - JQuery plugin does not handle dynamic component ids correctly > [WW-5108] - No errors are reported locally. On linux environment, > tomcat runs alone and reports > java.lang.annotation.AnnotationTypeMismatchException > [WW-5109] - Ognl issue after migrating from strut 2.3 to 2.5 > [WW-5116] - PostbackResult uses wrong regex range > [WW-5117] - %{id} evaluates different for data-* and value attribute > [WW-5119] - Blocking Threads in retrieving text from resource bundle > [WW-5121] - Contention when injecting Scope.SINGLETON instances > [WW-5123] - CheckboxTag value missing for labelposition > [WW-5124] - Tag attribute values cached > [WW-5125] - forbidden name attribute values (size, clone...?) in > <s:textfield> using the default theme > [WW-5129] - Dynamic Attributes are not working for doubleselect, > optiontransferselect, inputtransferselect tags > [WW-5130] - ID param not being set > [WW-5140] - Cannot download struts from the main page > [WW-5146] - Empty file upload ends in error > [WW-5147] - OGNL valid expression is not cached and is parsed over > again in some situations > [WW-5160] - Template not found for name > "Empty{name='templateDir'}/simple/hidden.ftl" > [WW-5163] - Error executing FreeMarker template > [WW-5169] - Key Technologies Primer: Broken link to ResourceBundles > > New Feature > [WW-4598] - async Actions > [WW-4760] - Switch to Servlet API 2.5 > [WW-4874] - Asynchronous action method > [WW-5005] - Struts2 convention plugin lacks Java 11 support > [WW-5049] - Move Velocity support into a dedicated plugin > [WW-5083] - Fetch Metadata support > [WW-5084] - Content Security Policy support > [WW-5085] - Add Cross-Origin Opener Policy and Cross-Origin Embedder > Policy Support > [WW-5101] - AbstractLocalizedTextProvider illegal reflective access > operation has occurred > > Improvement > [WW-685] - Generic error message - Type Conversion Error Handling > [WW-2040] - Struts 1 vs. Struts 2 benchmarking application > [WW-2411] - Add a maxlength attribute to the textarea tag > [WW-2537] - Fix generics in all codebase > [WW-3788] - Convert ServletActionContext to be more as ActionContext > [WW-3877] - Remove altSyntax option > [WW-4043] - Duplicated class TestUtils > [WW-4069] - Upgrade DWR plugin to use the latest available version > [WW-4348] - Remove access to static methods > [WW-4713] - Drop "searchValueStack" attribute from tag <s:text/> > [WW-4763] - Drop deprecated logging layer > [WW-4779] - Remove profiling layer > [WW-4789] - ActionContext should be immutable > [WW-4792] - Removes deprecated XWork constants > [WW-4796] - Rename Spring related flags to use the same pattern > [WW-4799] - make DateConverter configurable > [WW-4875] - Java configuration > [WW-4889] - Implement REST content handlers using Apache Juneau > [WW-4910] - Align OptGroup with Select > [WW-4915] - Replace deprecated commons-lang3 classes > [WW-4927] - Use immutable version of OGNL without access to #context > [WW-4929] - Fallback i18n Locale > [WW-4932] - Conversion fails when generic type is an interface > [WW-4937] - Add SortedSet field support to JSON plugin > [WW-4938] - ObjectFactory should use Container to instantiate actions > and inject dependencies > [WW-4952] - Upgrade to apache-master version 21 > [WW-4963] - Implement new Aware interfaces that are using withXxxx > pattern instead of setters > [WW-4972] - Switch to latest freemarker version when defining > incompatible_improvements > [WW-4995] - Enhancement for s:set tag to improve tag body whitespace control. > [WW-4996] - Refactor DefaultTypeConverterCreator to use > ObjectFactory#buildConverter > [WW-5000] - Replace string literals with proper constants in @Inject > [WW-5001] - Allow to define converters in "struts-conversion.properties" file > [WW-5003] - Use StrutsException instead of XWorkException > [WW-5012] - Make a public state check the first acceptance check in > SecurityMemberAccess > [WW-5017] - Drop @Validation annotation as not needed > [WW-5018] - Add maven enforce plugin to control certain environmental > constraints > [WW-5023] - Upgrade SLF4J to latest 1.7.x version > [WW-5034] - Minor enhancement/fix to AbstractLocalizedTextProvider > [WW-5035] - Provide mechanism to clear OgnlUtil caches > [WW-5036] - update JFreeChart plugin for compatibility with JFreeChart 1.5 > [WW-5052] - Use TypeConversionException instead of StrutsException > [WW-5056] - Standard Accepted Patterns in DefaultAcceptedPatternsChecker > [WW-5057] - Cleanup and/or improvements to Showcase Applications > [WW-5062] - Use downloads.a.o instead of archive > [WW-5063] - Use null check of passed in invocation in all the results > [WW-5064] - Move XWork Spring support into struts2-spring-plugin > [WW-5069] - Improve build behaviour on JDK9+ > [WW-5070] - JSONResult default root object should be set explicitly, > rather than from result of ValueStack.peek() > [WW-5073] - Use TextParser in AbstractMatcher > [WW-5078] - Remove support for <xwork> DTD > [WW-5080] - Allow write directly to a response - define a new result > [WW-5099] - Upgrade JFreeChart plugin to use version 1.5.1 of JFreeChart > [WW-5112] - Add ability (control flag) for TextProviders to prioritize > reads from the default resource bundlest. > [WW-5113] - Drop deprecated constant "struts.xworkTextProvider" > [WW-5114] - Drop deprecated constant "struts.localeProvider" > [WW-5115] - Reduce logging for DMI excluded parameters > [WW-5126] - inconsistancy between Model Driven and Model Driven > Interceptor documentations > [WW-5136] - Make class attribute deprecated > [WW-5152] - Make OVal plugin deprecated > [WW-5153] - Make Portlet, Portlet Mocks and Portlet Tiles plugins deprecated > [WW-5154] - Make GXP plugin deprecated > [WW-5155] - Make OSGi plugin deprecated > [WW-5156] - Make Plexus plugin deprecated > [WW-5157] - Make Sitemesh plugin deprecated > [WW-5164] - Remove deprecated ConversionDescription class > [WW-5168] - Fix missing submitUnchecked and broken disabled attributes > in Javatemplates checkbox tag > [WW-5175] - Add basic LocalDateTime support > [WW-5179] - Set 'struts.ognl.expressionMaxLength' to 256 by default > [WW-5181] - Stop supporting accessing static methods via OGNL expressions > [WW-5182] - Upgrade to Servlet API 3.1 > > Task > [WW-4845] - run, test, and validate Struts2 with Java9 > [WW-4981] - Add support for Java 11 > [WW-4982] - Remove the deprecated JsonLibHandler and outdated json-lib > dependency > [WW-4983] - Set private access modifier for HttpParameters.toMap > [WW-4998] - I18nInterceptor's default storage should store locale > [WW-5010] - Switch to Java 8 > [WW-5016] - Support Java 8 date time in the date tag > [WW-5020] - delete deprecated sitegraph plugin > [WW-5021] - Serve static resources from different path > [WW-5118] - OGNL long conversion > > Dependency > [WW-4887] - Upgrade to Tiles 3.0.8 > [WW-4926] - Upgrade commons-beanutils to version 1.9.3 > [WW-4931] - Upgrade to Apache FreeMarker 2.3.28 version > [WW-4947] - server errors generated by secure-jakarta-multipart-parser-plugin > [WW-4955] - Upgrade to OGNL 3.2.6 > [WW-4956] - Upgrade to Log4j2 2.11.1 > [WW-4965] - Upgrade to OGNL 3.2.7 > [WW-4967] - Upgrade to Jackson 2.9.6 > [WW-4973] - Upgrade to OGNL 3.2.8 > [WW-4975] - Upgraded commons-fileupload to version 1.4 > [WW-4976] - Upgrade ASM to version 7.0 > [WW-4979] - Update multiple Struts 2.6.x libraries to more recent versions > [WW-4980] - Update maven-wrapper to 3.5.4 and add maven-wrapper.jar to > .gitignore > [WW-4985] - Update persistence-api from 1.0 to 1.0.2 for CDI Plugin > [WW-4988] - Upgrade DWR from 1.x to 2.x (for DWR plugin) > [WW-4989] - Use JacksonXML handler instead of XStream as a default > handler for XML in the REST plugin > [WW-4992] - Mark the Embedded JSP plugin as depracted > [WW-4993] - Update OGNL versions for 2.6 and 2.5.x builds > [WW-5007] - Upgrade Jackson library to the latest version > [WW-5019] - Upgrade Log4j to version 2.13.3 > [WW-5032] - Struts 2 Junit Plugin is not working with Zulu JDK11 > [WW-5033] - Update a few Struts 2.5.x libraries to more recent versions > [WW-5037] - Upgrade commons-beanutils to version 1.9.4 > [WW-5038] - Upgrade jackson-databind to version 2.9.9.3 > [WW-5042] - Upgrade jackson-databind to version 2.10.0 > [WW-5045] - Update jasperreports to 6.10.0 > [WW-5047] - Upgrade Velocity to 2.1 and Velocity Tools to 3.0 > [WW-5048] - Update various dependencies to newest version > [WW-5050] - Upgrade to OGNL 3.2.12 > [WW-5061] - CVEs in the library dependencies > [WW-5068] - Update multiple Struts 2.6.x libraries / Maven build plugin > versions > [WW-5075] - Upgrade OSGi to the latest version > [WW-5092] - ASM dependency update to 8.* > [WW-5094] - Upgrade Spring Framework to version 4.3.29.RELEASE > [WW-5097] - Upgrade to OGNL 3.2.16 > [WW-5098] - Upgrade ASM to version 9.0 > [WW-5103] - Upgrade XStream to version 1.4.14 > [WW-5120] - Upgrade Velocity Engine & Velocity Tools > [WW-5122] - Upgrade XStream to version 1.4.16 > [WW-5131] - Upgrade commons-io to version 2.9 > [WW-5134] - Upgrade JasperReports to version 6.17.0 > [WW-5135] - Upgrade XStream to version 1.4.17 > [WW-5142] - Upgrade XStream to version 1.4.18 > [WW-5143] - Upgrade Oval library to ver. 3.2.1 > [WW-5144] - Mark OVal plugin as deprecated > [WW-5148] - Upgrade ASM to version 9.2 > [WW-5151] - Bump to 2.15.0 to fix log4j vulnerability > [WW-5158] - Upgrade Log4j to version 2.16.0 to address security vulnerability > [WW-5161] - Update spring to 4.3.30 > [WW-5162] - Upgrade Log4j to version 2.17.1 to address security vulnerability > [WW-5165] - Update spring to 5.3.x b/c 4.3.x is EOL > [WW-5166] - Update OGNL to 3.3.2 > [WW-5167] - Upgrade XStream to version 1.4.19 > [WW-5171] - Upgrade Apache Log4j 2.17.2 > [WW-5172] - Upgrade freemarker to 2.3.31 > [WW-5174] - Upgrade Jackson-Core to version 2.13.2 and > Jackson-Databind to 2.13.2.1 > > Github release: > * https://github.com/apache/struts/releases/tag/STRUTS_6_0_0 > > Release notes: > * https://cwiki.apache.org/confluence/display/WW/Version+Notes+6.0.0 > > MIgration guide: > * https://cwiki.apache.org/confluence/display/WW/Struts+2.5+to+6.0.0+migration > > Distribution: > * https://dist.apache.org/repos/dist/dev/struts/6.0.0/ > > Maven 2 staging repository: > * https://repository.apache.org/content/repositories/staging/ > > Once you have had a chance to review the test build, please respond > with a vote on its quality: > > [ ] Leave at test build > [ ] Alpha > [ ] Beta > [ ] General Availability (GA) > > Everyone who has tested the build is invited to vote. Votes by PMC > members are considered binding. A vote passes if there are at least > three binding +1s and more +1s than -1s. > > The vote will remain open for at least 72 hours, longer upon request. > A vote can be amended at any time to upgrade or downgrade the quality > of the release based on future experience. If an initial vote > designates the build as "Beta", the release will be submitted for > mirroring and announced to the user list. Once released as a public > beta, subsequent quality votes on a build may be held on the user > list. > > As always, the act of voting carries certain obligations. A binding > vote not only states an opinion, but means that the voter is agreeing > to help do the work. > > > Kind regards > -- > Ćukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
